Last revised 12/06/21

Data Privacy Addendum

This Data Privacy Addendum (“Addendum”) is entered into as of the Effective Date (defined below) amends the Agreement between Your Company ( “Company”) and Ethena, Inc. (“Ethena”), each a “Party” and collectively the “Parties.” This Addendum details the Parties’ obligations on the protection of Personal Data associated with Ethena’s Processing of Company’s Personal Data within the scope of the applicable Agreement.

Company and Ethena agree as follows:

1. Definitions. For purposes of this Addendum:

1. “Data Protection Law” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), and all implementing regulations.  For the avoidance of doubt, if Ethena’s processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this Addendum.

2. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.

3. “Personal Data” means any data and information relating to a Data Subject or is otherwise subject to Data Protection Laws that Company uploads or otherwise inputs into the Service and which is Processed by Ethena or a Sub-Processor in the course of providing Services under the Agreement. “Personal Data” includes “personal data,” “personal information,” and “personally identifiable information,” and such terms shall have the same meaning as defined by the applicable Data Protection Laws. 
4. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
5. “Security Incident” means any event that compromises the security, integrity, or confidentiality of Personal Data, including unauthorized or accidental access to, use, disclosure, alteration, loss, or destruction of Personal Data.
6. “Standard Contractual Clauses” means the UK Standard Contractual Clauses, and/or the 2021 Standard Contractual Clauses.
7. “UK Standard Contractual Clauses” means the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU.
8. “2021 Standard Contractual Clauses" means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

2. Scope and Purposes of Processing.

1. Ethena will Process Personal Data solely: (1) to fulfill its obligations to Company under the Agreement, including this Addendum; (2) on Company’s behalf; and (3) in compliance with Data Protection Laws.  Ethena may use Personal Data to provide and improve its Services. Ethena can use aggregated, anonymized, or de-identified data for internal purposes. If a Data Protection Law to which Ethena is subject requires Ethena to Process Personal Data in a manner that conflicts with the terms of the Agreement or this Addendum, Ethena will inform Company of that legal requirement before Processing, unless that law prohibits Company from providing such information on important grounds of public interest within the meaning of Data Protection Laws.
2. Without limiting the foregoing, Company directs Ethena, and Ethena agrees, to Process Personal Data in accordance with Company’s written instructions.
3. Company shall not instruct Ethena to Process Personal Data in violation of applicable Data Protection Laws. Ethena has no obligation to monitor the compliance of Company’s use of the Services with applicable Data Protection Law. If Ethena believes Company’s instructions conflict with the requirements of applicable Data Protection Law, Ethena will inform Company of such conflict.
4. Ethena will not:

1. Retain, use, disclose, or otherwise Process Personal Data in a manner inconsistent with Ethena’s rule as Company’s “Service Provider,” as such term is defined in the CCPA;
2. “Sell” Personal Data, as such term is defined in the CCPA.
3. Attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Company.

3. Personal Data Processing Requirements. Ethena will:

1. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2. Upon written request of Company, assist Company in the fulfilment of Company’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights under Data Protection Laws (such as rights to access or delete Personal Data).
3. Inform Company within a commercially reasonable timeframe, with shall not exceed five (5) business days of any Data Subject request directly received by Ethena exercising their rights in connection to their Personal Data if (i) the request or complaint is received through the contact information specified in the Ethena’s privacy policy and (ii) the request or complaint identifies Company as the Ethena customer to whom it pertains. Ethena will await written instructions from Company on how, if at all, to assist in responding to the request. Additional support relating to Data Subject requests and complaints may be available and would require mutual agreement on fees, the scope of Ethena’s involvement, and any other terms that the Parties deem appropriate.
4. Provide reasonable assistance to and cooperation with Company for Company’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, taking into account the nature of Processing and the information available to Ethena. Additional support for data protection impact assessments or relations with regulators may be available and would require mutual agreement on fees, the scope of Ethena’s involvement, and any other terms that the Parties deem appropriate.
5. Provide reasonable assistance to and cooperation with Company for Company’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Ethena under Data Protection Laws to consult with a regulatory authority in relation to Ethena’s Processing or proposed Processing of Personal Data.

4. Data Security. Ethena will

1. Implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data.
2. Provide reasonable assistance to Company to enable Company to fulfill its compliance obligations, taking into account the nature of Procession and the information available to Ethena. Additional assistance beyond what is reasonable will require agreement between the parties on fees and terms of assistance and may be refused by Ethena.  

5. Security Incident.

1. Ethena will notify Company without undue delay, and in any event within seventy-two (72) hours, of any confirmed Security Incident. Ethena’s notice to Company shall summarize, to the extent available, which may be based on incomplete information: (i) the cause of the Security Incident, (ii) the impact of the Security Incident on Company, (iii) the categories and approximate number of Data Subjects potentially impacted, (iv) the affected Personal Data data elements, (v) the corrective actions to be taken by Ethena, and (vi) any other information required by Data Protection Laws. To the extent it is not possible to provide the foregoing information at the same time, the information may be provided in phases without further undue delay.
2. At Ethena’s own expense, Ethena will take steps to mitigate the effects of the Security Incident and reduce the risk to Data Subjects whose Personal Data was involved.
3. Company is solely responsible for complying with Security Incident notification requirements applicable to Company and fulfilling any third-party notification obligations.

6. Sub-processors.

1. Company acknowledges and agrees that Ethena may use Ethena affiliates and other Sub-processors to Process Personal Data in accordance with the provisions within this Addendum and Data Protection Laws. A current list of Ethena’s Sub-processors can be found https://app.goethena.com/documents/EthenaSubprocessors.html, and Company hereby consents to Ethena’s use of such Sub-processors.
2. Where Ethena sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, Ethena will (i) take steps to select and retain Sub-processors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with Data Protection Laws; and (ii) enter into a written agreement with each subcontractor that imposes obligations on the subcontractor that are substantially similar those imposed on Ethena under this Addendum.
3. Ethena will notify Company of any intended changes concerning the addition or replacement of its Sub-processors and provide Company with the opportunity to object to such change within five (5) days of the notification sent by the Ethena. Any prohibition to a proposed Sub-processor must be done in writing. The objection cannot be based on Company’s dislike for the Sub-processor. The objection is only available if Ethena’s engagement of Sub-processor is a material breach of the Agreement or Addendum. Ethena will have the right to cure the objection by: (i) cancelling its plans to use the Sub-processor with regard to the Company’s Personal Data or offering an alternative to provide the Service without such Sub-processor; (ii) taking the corrective steps requested by Company in its objection and proceed to use the Sub-processor with regard to Company’s Personal Data; or (iii) providing Company the opportunity to agree to not use the particular aspect of the Service that would involve the use of such Sub-processor with regard to Company’s Personal Data. In such case, Ethena shall work with the Company in good faith to make available a commercially reasonably change in the provision of the Services which avoids the use of that proposed Sub-processor. Where such a change cannot be made within thirty (30) business days from the Ethena’s receipt of Company’s notice, notwithstanding anything in the Agreement, Company may by written notice to the Ethena with immediate effect, terminate this Agreement and Addendum, to the extent it relates to the Services which require the use of the proposed Sub-processor.
4. Ethena is liable for its Sub-processors’ performance to the same extent Ethena is liable for its own performance, including their breach of any Data Protection Law, consistent with the limitations of liability set forth herein.

7. Audits.

1. Ethena will make available to Company such information in Ethena’s control and possession reasonably necessary to demonstrate compliance with the obligations under this Addendum and allow for and contribute to audits and inspections conducted by Company. Company will not exercise its audit rights more than once in any twelve (12) month calendar period. Any such audit will be tailored to what is reasonably necessary to verify Ethena’s compliance with this Addendum and during Ethena’s normal business hours. Company shall conduct its audit in a manner that will result in minimal disruption to Ethena’s business operations. For the avoidance of doubt, this provision does not grant Company any right to conduct an on-site audit of Ethena’s premises.  
2. Nothing herein will require Ethena to disclose or make available (i) any data of any other customer of Ethena; (ii) access to its systems; (iii) Ethena’s internal accounting or financial information; (iv) any trade secrets of Ethena; (v) any information or access that, in Ethena’s reasonable opinion, could (a) compromise the security of Ethena’s  systems or premises; or (b) cause Ethena to breach its obligations under Data Protection Laws or applicable contracts; or (vi) any information sought for any reason other than the good faith fulfilment of Company’s obligations under Data Protection Laws to audit compliance under the Addendum.  
3. The audit may be carried out by a third party auditor appointed by the Parties. To the extent the Parties appoint a third party representative to conduct the audit, Company shall ensure that such third party representative is bound by obligations of confidentiality no less protective than those contained in this Addendum. All audits shall be conducted at Company’s reasonable expense.
4. Company will provide written communication of any audit findings to Ethena, and the results of the audit will be the confidential information of Ethena.

8. Return or Destruction of Personal Data. Upon termination or expiration of the Agreement, unless prohibited by law, Ethena shall within a commercially reasonable time period and without undue delay: (i) return all Personal Data to Company and delete or anonymize existing copies or (ii) securely destroy and delete or anonymize all Company Personal Data including all copies and backups, where possible. Notwithstanding the foregoing, Ethena may retain Personal Data to the extent required by applicable law or where such Personal Data is necessary to defend legal claims.
9. International Transfers of Personal Data. If Personal Data originates from the European Economic Area, United Kingdom, or Switzerland and is transferred by Company to Ethena for Processing in a country not subject to an adequacy decision in accordance with Data Protection Laws (“Data Transfer”), the Parties will conduct such Data Transfer in accordance with this section of this Addendum.        

1. UK Standard Contractual Clauses. For transfers of Company Personal Data out of the United Kingdom, the UK Standard Contractual Clauses will apply and are incorporated into this Addendum by reference, provided that the illustrative indemnification clause within Appendix 2 of the UK Standard Contractual Clauses will not apply. Attachment A of this Addendum will serve as Appendix 1 of the UK Standard Contractual Clauses.
2. 2021 Standard Contractual Clauses. For transfers of Company Personal Data out of the EEA or Switzerland, the 2021 Standard Contractual Clauses will apply and are incorporated into this Addendum. For purposes of this Addendum, the 2021 Standard Contractual Clauses will apply as set forth in this Section 9.b. “Module Two: Transfer controller to processor” will apply and all other module options will not apply. Under Annex 1 of the 2021 Standard Contractual Clauses, the “data exporter” is Company and the “data importer” is Ethena and the information required by Annex 1 can be found in Attachment A. For the purposes of Annex 2 of the Standard Contractual Clauses, the technical and organizational measures implemented by the data importer are those listed in Section 4 of this Addendum. Clause 7 will not apply. For clause 9, the Parties choose Option 2 and the Parties agree that the time period for prior notice of Third Party changes will be as set forth in 3.c of this Addendum. For clause 11, the optional language will not apply. For clause 17, the Parties choose Option 1 and the Parties agree that the governing law will be the Republic of Ireland. For clause 18, the Parties agree that the courts of the Republic of Ireland will apply for subsection (b).
3. Each party’s signature to this Addendum shall be considered a signature to the Standard Contractual Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Standard Contractual Clauses as separate documents. In case of conflict between the Standard Contractual Clauses and this Addendum, the Standard Contractual Clauses will prevail. 

10. Indemnity and Limitations of Liability.

1. Except for Excluded Addendum Claims (defined below), Ethena shall indemnify, defend and hold harmless Company against any and all claims, damages, expenses and costs directly attributable to any failure by the Ethena to comply with the obligations under this Addendum. As this Addendum is part of the Agreement, the total aggregate liability of Ethena, including any liability for its Sub-processors’ violations, under or in connection with this Addendum will be subject to, and count toward, the agreed limits on liability under the Agreement. Parties shall also follow the indemnification procedures set forth in the Agreement.  
2. Ethena will have no liability for Security Incidents if Ethena complies with its security obligations in this Addendum or if the Security Incident is otherwise attributable to (i) Company’s instructions to Ethena or other acts or omissions of Company, (ii) Ethena’s compliance with the Addendum, (iii) Ethena’s compliance with Company’s instructions, (iv) Company’s breach of the Addendum or other aspects of the Agreement, (v) Company’s failure to use the Services in accordance with the documentation, (vi) Company’s failure to use a security or data protection option that Ethena offers, or (vii) any other situation in which Ethena is not responsible for the event giving rise to the claims, losses or damage ((i) through (vii) are collectively the “Excluded Addendum Claims”).  

11. Conflict. In the event of any conflict or inconsistency between the Agreement and this Addendum, this Addendum shall prevail.
12. Governing Law. The Agreement’s choice of law and venue provision apply to this Addendum unless otherwise required by law.

    ---

Attachment A to

Data Privacy Addendum